The last thing any company wants is to end up as the next headline due to a cyber attack that compromised its confidential data. The incident would tarnish its brand reputation, which could lead to loss of revenue. Add to that the financial strain of settling data breach fines and legal fees. In the worst cases, some victims have no other choice but to declare bankruptcy.
That scenario is preventable, though. Using proactive and robust security measures and technologies can reduce the risks that cyber threats pose. Then again, not every organization can afford the best security solutions that money can buy. Worse, small businesses typically do not have the human resources to handle threat hunting and incident response.
Readily available and affordable tools such as WHOIS Lookup can help with their threat intelligence needs to thwart attempts and ongoing attacks. Read on to find out how.
Case Study: Attacks Piggybacking on the Coronavirus
Cybercriminals are known for riding on hot and timely news and events as part of their social engineering tactics. The recent coronavirus outbreak, which sparked global interest, is no exception.
Several reports have cited various malware families using the outbreak as a means to get their victims’ attention. Among other tactics, cybercriminals have been sending out spam emails with malicious attachments. When downloaded and opened, the malware-laced attachments dropped malware such as Emotet (a banking Trojan) and Nanocore (a remote access Trojan [RAT]), among others, onto the users’ systems. These malicious programs enabled the threat actors to obtain victims’ online banking credentials (in Emotet’s case) or take full control of infected computers for use in other attacks (in Nanocore’s case).
So, what can affected organizations do? How can such an attack be stopped? A possible solution is performing simple WHOIS searches to know more about the attack and block access to and from all potential threat sources. The next section goes into more detail on this.
How Can WHOIS Searches Help Thwart Coronavirus-Themed Mal-spam Campaigns?
WHOIS search tools such as WHOIS Lookup provides users access to an extensive database that contains billions of WHOIS records. These provide domain ownership and other details that can serve as clues as to who’s behind an attack. Those details can then help them identify other potential attack sources (other domains, IP addresses, email addresses) that they would need to block.
Let’s take a look at one of the known indicators of compromise (IoCs) likely related to a coronavirus mal-spam campaign—http://www[.]oasineldeserto[.]info/mio/8ji5-gr4qnc20-78404477/ (obtained from the publicly accessible IoC repository, VirusTotal). The first thing users need to do is block any communication from anyone using the domain oasineldeserto[.]info to avoid malware infection. Blocking access to it from any network-connected computer is a must as well.
The next logical step is to run a WHOIS search for the domain oasineldeserto[.]info. We found out that its registrant is GESTCOM di DE MARTIN T. LUCILLA. While the cybercriminals may have used a fake identity, it won’t hurt to be cautious. Users can search for all other domains with the same registrant on a reverse WHOIS lookup tool. We did so and found nine connected domains with that detail. Users can add these domains to their monitoring list for further investigation or even blacklist for immediate blocking.
These days, no business is safe from cyber-attacks. And the fact that cybercriminals have a knack for using baits that work on their less tech-savvy and cybersecurity-unaware employees doesn’t help. Companies thus need to use tools that would help defend their employees and networks against all likely sources of threats. WHOIS search tools can help them block threats from the source.
About the Author
Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API family, a trusted intelligence vendor by over 50,000 clients.